diff --git a/manifests/smoktest.yaml b/manifests/smoktest.yaml
index c7ffd5d..6f92267 100644
--- a/manifests/smoktest.yaml
+++ b/manifests/smoktest.yaml
@@ -124,7 +124,7 @@ components:
       base-url: "https://github.com/coredns/coredns"
     installation:
       method: "container-image"
-      source_format: "registry.k8s.io/coredns/coredns:v{release}"
+      source_format: "ghcr.io/canonical/coredns:{release}-ck4"
 
   # Calico - required for cluster networking
   - name: calico
diff --git a/src/kube_galaxy/pkg/components/coredns.py b/src/kube_galaxy/pkg/components/coredns.py
new file mode 100644
index 0000000..5f90320
--- /dev/null
+++ b/src/kube_galaxy/pkg/components/coredns.py
@@ -0,0 +1,34 @@
+"""
+CoreDNS component installation and management.
+
+CoreDNS is used as the DNS server for Kubernetes clusters.
+"""
+
+import json
+import shlex
+
+from kube_galaxy.pkg.components import ComponentBase, register_component
+from kube_galaxy.pkg.utils.shell import run
+
+
+@register_component("coredns")
+class CoreDNS(ComponentBase):
+    def bootstrap_hook(self) -> None:
+        """Patch coredns deployment
+
+        This is needed to allow coredns to run with readOnlyRootFilesystem=false
+        which is required for certain versions of coredns that kubeadm may use.
+        The patch modifies the coredns deployment to set the securityContext of
+        the coredns container to allow read/write access to the root filesystem.
+
+        spec.template.spec.containers[0].securityContext.readOnlyRootFileystem=false
+        """
+        op = [
+            {
+                "op": "replace",
+                "path": "/spec/template/spec/containers/0/securityContext/readOnlyRootFilesystem",
+                "value": False,
+            }
+        ]
+        cmd = shlex.split("kubectl patch deployment/coredns -n kube-system --type='json' -p")
+        run([*cmd, json.dumps(op)], check=True)